P
US10909239B2ActiveUtilityPatentIndex 57

Advanced file modification heuristics

Assignee: WEBROOT INCPriority: Jun 29, 2017Filed: Jun 29, 2017Granted: Feb 2, 2021
Est. expiryJun 29, 2037(~11 yrs left)· nominal 20-yr term from priority
Inventors:KLONOWSKI ERICCHETLUR SESHA SAILENDRA
G06F 21/566G06F 21/554G06F 2221/034G06F 21/552G06F 21/6218
57
PatentIndex Score
0
Cited by
21
References
20
Claims

Abstract

Examples of the present disclosure describe systems and methods for providing advanced file modification heuristics. In aspects, software content is selected for monitoring. The monitoring comprises determining when the software content performs file accesses that are followed by read and/or write operations. The read/write operations are analyzed in real-time to determine whether the software content is modifying file content. If the monitoring indicates the software content is modifying accessed files, mathematical calculations are applied to the read-write operations to determine the nature of the modifications. Based on the determined nature of the file modifications, the actions of the software content may be categorized and halted prior to completion; thereby, mitigating malicious cyberattacks and/or unauthorized accesses.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A system comprising:
 at least a first processor; and 
 memory coupled to the at least one processor, the memory comprising computer executable instructions that, when executed by the at least one processor, performs a method for implementing advanced file modification heuristics, the method comprising:
 monitoring software content, wherein the monitoring comprises detecting I/O operations associated with accessing data content; 
 analyzing the I/O operations by:
 determining whether a first I/O block in the I/O operations is a read operation; 
 when it is determined that the first I/O block is a read operation, analyzing the I/O operations to determine whether the I/O operations modify the data content; and 
 when it is determined that the I/O operations modify the data content, applying a mathematical analysis to only the instructions of the I/O operations to determine whether the software content is performing at least one of an encryption operation and a compression operation to the data content; and 
 
 based on the mathematical analysis of only the instructions of the I/O operations, performing one or more actions relating to the software content. 
 
 
     
     
       2. The system of  claim 1 , wherein the I/O operations are generated by one or more system filter drivers associated with the system. 
     
     
       3. The system of  claim 1 , wherein analyzing the I/O operations comprises identifying one or more sequences of corresponding read and write operations. 
     
     
       4. The system of  claim 3 , wherein the first I/O block in the one or more sequences is analyzed to determine the amount of the data content being read by the software content. 
     
     
       5. The system of  claim 4 , wherein, when less than all of the data content is being read by the software content, the analyzing of the I/O operations is terminated by the system. 
     
     
       6. The system of  claim 1 , wherein analyzing the I/O operations comprises identifying a cumulative read size and a cumulative write size, and comparing the cumulative read size to the cumulative write size to determine whether at least one of compression and encryption is being used. 
     
     
       7. The system of  claim 1 , wherein the mathematical analysis utilizes at least one of Shannon Entropy, Chi-squared test, and Monte Carlo methods. 
     
     
       8. The system of  claim 1 , wherein performing the one or more actions comprises applying one or more sets of logic to the I/O operations. 
     
     
       9. The system of  claim 8 , wherein the one or more sets of logic provide for organizing the I/O operations into one or more categories, the one or more categories comprising at least one of: read/write operations, types of compression, types of encryption determinations, and software content classifications. 
     
     
       10. The system of  claim 8 , wherein the one or more sets of logic provide for determining whether the software content is malicious. 
     
     
       11. The system of  claim 10 , wherein determining whether the software content is malicious comprises comparing the I/O operations to a set of known I/O operations, evaluating a permission, generating a metric representing a confidence associated with the determination, comparing a confidence metric to one or more thresholds, and applying the confidence metric to one or more rule sets to generate one or more labels. 
     
     
       12. The system of  claim 8 , wherein the one or more sets of logic provide for generating a notification, wherein the notification comprises at least one of: a label, categorized data, confidence metrics, and a suggested remedy. 
     
     
       13. The system of  claim 8 , wherein the one or more sets of logic provide for automatically mitigating, by the system, the I/O operations, wherein the mitigation comprises halting the read/write operations of the software content, restricting access to the data content, suppressing functionality available to the software content, and restoring a previous versions of the data content. 
     
     
       14. A method for implementing advanced file modification heuristics, the method comprising:
 monitoring software content, wherein the monitoring comprises detecting I/O operations associated with accessing data content; 
 analyzing the I/O operations by:
 determining whether a first I/O block in the I/O operations is a read operation; 
 when it is determined that the first I/O block is a read operation, analyzing the I/O operations to determine whether the I/O operations modify the data content; and 
 when it is determined that the I/O operations modify the data content, applying a mathematical analysis to only the instructions of the I/O operations to determine whether the software content is performing at least one of an encryption operation and a compression operation to the data content; and 
 
 based on the mathematical analysis of only the instructions of the I/O operations, performing one or more actions relating to the software content. 
 
     
     
       15. The method of  claim 14 , wherein the monitoring further comprises using monitoring tools to observe information associated with at least one of: event files, I/O logs, and kernel-mode components. 
     
     
       16. The method of  claim 14 , wherein analyzing the I/O operations comprises applying a first set of advanced file modification heuristics to the I/O operations, and applying the encryption analysis comprises applying a second set of advanced file modification heuristics to the I/O operations. 
     
     
       17. The method of  claim 14 , wherein determining whether the I/O operations modify the data content comprises evaluating the chronological sequence of I/O operations. 
     
     
       18. The method of  claim 14 , wherein applying an encryption analysis to the I/O operations comprises determining an amount of randomness in the read operations and write operations of the I/O operations. 
     
     
       19. The method of  claim 18 , wherein the amount of randomness is used to determine a type of file modification technique being used, wherein the file modification technique is at least one compression and encryption. 
     
     
       20. A computer-readable storage medium encoding computer executable instructions which, when executed by at least one processor, performs a method for implementing advanced file modification heuristics, the method comprising:
 monitoring software content, wherein the monitoring comprises detecting I/O operations associated with accessing data content; 
 analyzing the I/O operations by:
 determining whether a first I/O block in the I/O operations is a read operation; 
 when it is determined that the first I/O block is a read operation, analyzing the I/O operations to determine whether the I/O operations modify the data content; and 
 when it is determined that the I/O operations modify the data content, applying a mathematical analysis to only the or instructions of the I/O operations to determine whether the software content is performing at least one of an encryption operation and a compression operation to the data content; and 
 
 based on the mathematical analysis of only the instructions of the I/O operations, performing one or more actions relating to the software content.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.